Read this if you get a nasty pop-up trojan....

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

Hi all

Firstly apologies for the massive post, but thought i'd list all the steps I went through to get rid of this:

So I managed to contract a purely *hellish* popup trojan this morning. Thought I'd document my cronicles for any other unsespecting victims! I'd got the Cool Web Search trojan on a previous occasion, but that was a kitten compared to this thing! It may actually be a more advanced version though....

Symptoms & overview:
Home page set to: http://aifind.info/ & casino popups all the time. Local (LAN) proxy gets set to localhost address (127.0.0.1). Notepad.exe gets repointed to c:\windows\system32\actmovie.exe. Couple of entries in the registry run directory that point to runwin32.exe & wininet32.exe. Google toobar disapears (if you use it). Trend Housecall crashes. Various other fun things....

Steps taken:
Ran Ad-Aware 6 (did an update to ensure I had latest signatures) this seemed to do nothing even though it found and removed several entries for cool web search.

Found my internet access was blocked, so went to C:\WINDOWS\system32\drivers\etc and checked my hosts file. Sure enough there was an entry for '213.159.117.235 auto.search.msn.com' that seems to block all internet access (I later found out the reason was that it had changed my proxy settings - will come to that in a minute). Removed the offending line (you only need '127.0.0.1 localhost' unless your doing anything freaky! and went to hit save, then noticed the sneaky 'tards had changed my hosts file to read only! Grrrrr removed that and saved it.

Once I had internet access again, downloaded the latest version of CWShredder from http://www.spywareinfo.com/~merijn/cwschronicles.html. This seemed to find and fix about 3 spyware programs but the problem still persisted.

Checked MSConfig and found 2 more spyware programs: runwin32.exe & wininet32.exe. Deleted these and their entries.

Checked my local proxy info (in IE) and found it had been changed to 127.0.0.1:8080 hence the lack of internet access earlier. Changed this back.

Noticed that all notepad shortcuts now point to c:\windows\system32\actmovie.exe. Deleted this file and repointed back to notepad.exe (wordpad was unaffacted thank goodness!) Looking at actmovie.exe I don't think its actually part of the virus. It seems to listed as Microsoft directshow setup tool, so maybe just pointed to a random file so that Notepad does not work.

Noticed it had removed/hidden my Google toolbar.

Tried to run Trend Housecall. It managed to crash out the window that Trend opens!

At this point I'd got rid of the popups but still had my home page being set to http://aifind.info/ and my hosts file getting changed every 5 mins and read-only kept coming back. Also notepad.exe shortcut still being repointed. Have to admit I was scratching my head a little by now!

Performed a complete virus check using e-Trust from Computer Associates (yes I know its not great, but free from work so can't complain) This found another 11 virused files!

Spent a further 30 mins trying various stuff. Then I got heavy, and used HijackThis to basically remove anything I thought looked dodgy. I also Uninstalled Google toolbar to make fault finding in HijackThis easier. This all worked!! This is the stuff I think pertained to the worm (but not sure):

And after 1.5 hours I think its finally over! I really must switch my virus checker on more often....

S

ATNO/TW

Super Moderator

Posts: 23454

Loc: Woodbridge VA

3+ Months Ago

DuckIT

That is most excellent. It's nice to see people take the time to provide such detail so others can learn. Looks to me like you (at the least) had
http://securityresponse.symantec.com/av ... rojan.html

^That one

But your detailed blog is most impressive and helpful. But like what you did to day it just takes some thought to troubleshoot problems and a good deal of patience... My hat is off to you, sir.

musik

Legend

Posts: 6891

Loc: up a tree

3+ Months Ago

Hi DuckIT, did the popup come up even though you had google popup blocker? Also, if you had a firewall would it have stopped it being put onto your system?

Can you recommend how someone can block these things from being downloaded onto their computer without their permission?

Thanks,
Rose

(great post by the way)

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

Quote:

But your detailed blog is most impressive and helpful. But like what you did to day it just takes some thought to troubleshoot problems and a good deal of patience... My hat is off to you, sir.

Heh thanks. Patience though? I was growing like a dog and reeling off all the things I'd like to do to the person that coded this

Quote:

Hi DuckIT, did the popup come up even though you had google popup blocker? Also, if you had a firewall would it have stopped it being put onto your system?

Yeah google pop-up blocker only seems to block IE windows that initiate from the original window. It won't stop you getting the thing in the first place & it won't stop any subsequent pop-ups as they are started by the OS rather than IE.

Quote:

Can you recommend how someone can block these things from being downloaded onto their computer without their permission?

*cough* a virus checker would probably be a good start. I had mine disabled as its a games machine & rarely used for surfing. Learned my lesson I have (to be said in your best Yoda voice)

Also I think most ad programs come with a feature to stop this kind of thing. Ad-Aware does for instance. In this instance though I have a feeling that I had one of those grey yes/no to installation boxes come up and it looked like the default option was to click no, hence I did not bother with the mouse but rather hit enter. With hindsight it was probably coded to look like 'No' is the default when in fact yes is!

caperjack

Newbie

Posts: 9

Loc: NS,Canada

3+ Months Ago

A few program to help stop adware/spuware /malware.what ever you want to call it .
this one install blockers in the registry .download site Here

Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

I still have the damn popup thingy. Blasted thing it is. I've run CWShredder, ad-aware, hijack this & pest patrol and it still comes back after a reboot! Checked reg entries, checked startup files yada yada yada. Damn they are getting good these days!

Thanks for the tip caperjack, i'll give spywareblaster a go when I get some time. For the moment, i've just given up on browsing on that machine. Its only a games PC anyway.

S

caperjack

Newbie

Posts: 9

Loc: NS,Canada

3+ Months Ago

spywareblaster is for use after you get rid of all infections,
post you hijackthis log ,to see what is in it.
it sounds like you have the returning and harder to get rid of about/blank.

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

I *think* I got it now. I'll double check again when I get home but it looked ok this morning.

Thanks

S

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

It's still there!

I'm seriously considering sacrificing a chicken over my computer. Think this will help?

I can sometimes get rid of it but it comes back the next day. I'm 99% sure i'm not getting myself re-infected as I don't use this PC much for surfing. It seems like its timed to re-infect me every day somehow.

Quote:

it sounds like you have the returning and harder to get rid of about/blank.

This sounds good. I'm all ears!

Hijack this log (i've removed all the R0-R1 & the O2 entries before - they just come straight back. I'm presuming one of my processes has been replaced by this but no idea which):

You do have the hidden DLL,about/blank I have never had it but ,i do study and helping at SWI,fourn and this is the fix they use '.

Download reglite

install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.

Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.

You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.

Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".

Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll

Rename the windows folder back to its original name "Windows".

Next step will be to remove this dll file so make sure you have it noted down.

Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".

This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.

Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.

Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -r "nameofdll".dll

Type del "nameofdll".dll

Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

Check the following two links for instructions on downloading and running the applications listed:

How to use Spybot to remove Spyware

How to use Ad-Aware to remove Spyware

Restart computer in safe mode (How do I boot into "Safe" mode?) and run these programs again, just to make sure all traces are gone.

Boot up pc as normal and you should be trouble free.

caperjack

Newbie

Posts: 9

Loc: NS,Canada

3+ Months Ago

or use this info .

http://forums.subratam.org/index.php?showtopic=583

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

I'm working on this now thanks caperjack! I'll post in a while with results. Nice registry editor that is by the way.

Quite ironic that after acting all big about how clever I was to get rid of this and then my post turns into a cry for help

S

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

ok I followed all the instructions. Your details didn't seem to clear it as the file it pointed too (C:\WINDOWS\System32\wdm.dll) seemed to be somehow invisible even though I have show hidden & system files switched on.

Luckily the batch file in your second post sorted it. It did all this:

File is still in original location now unlocked. It is now ok to proceed with Rest of Cleanup.

and that seemed to resolve it so I was able to manually delete it then! I did every thing else in the post. I just have to leave it a day or two now to see if that fixed it. Hopefully it has.

Thanks a lot dude!!

S

caperjack

Newbie

Posts: 9

Loc: NS,Canada

3+ Months Ago

Your welcome ,glad it worked ,Im new to those progrqms and have never had to run any of the fixes on my own machine ,I just pass it along for folks to use to fix there problems .

firediablosg

Born

Posts: 1

3+ Months Ago

Found my internet access was blocked, so went to C:\WINDOWS\system32\drivers\etc and checked my hosts file. Sure enough there was an entry for '213.159.117.235 auto.search.msn.com' that seems to block all internet access (I later found out the reason was that it had changed my proxy settings - will come to that in a minute). Removed the offending line (you only need '127.0.0.1 localhost' unless your doing anything freaky! and went to hit save, then noticed the sneaky 'tards had changed my hosts file to read only! Grrrrr removed that and saved it.

How do i edit the hostfile?
please reply asap..do i need a program or just edit from ms-dos.

i'm a noob and i'll be guiding a friend through phone on how to restore his internet access...(i deleted his runwin32.exe and wininet32.exe because of uncleanable virus)

DuckIT

Graduate

Posts: 155

Loc: London, UK

3+ Months Ago

On Windows XP its in c:\windows\system32\drivers\etc. Double click it and click 'select program' from list then choose notepad or wordpad.

Don't delete this entry:

127.0.0.1 localhost

S

P.S. a day later and this thing isn't back so thanks again caperjack & anyone else who threw in comments!